I am unfamiliar with regex. I need to separate every field in the _raw data from this line.
06/06 12:46:17 metrics ListeningThreads=3 IdleThreads=21 WaitingThreads=0 BusyThreads=0 TotalThreads=24 DelayedRequests=0 DroppedRequests=0 HandledRequests=28 HandledTime=543 DelayedTime=0 TotalMemory=4019584 FreeMemory=3549100
I know it can be done in the transform.conf and prop.conf files. I would just use a search command.
Would it be best to break it up using spaces? The order of the data should always be the same.
My final result would be a real time table or graph to monitor, BusyThreads, HandledRequests and FreeMemory.
Help for a newbie.
did you already indexed this data? cause Splunks default behaviour is that it will extract the key=values pairs (due the = seperator)
did you already indexed this data? cause Splunks default behaviour is that it will extract the key=values pairs (due the = seperator)
I think I've figured it out. This is close to what I need: | search "BusyThreads*" "HandledRequest*"
Make sure you have field discovery turned on when searching?
right, but you dont have the fieldextractions like Idletreads=21 etc?
Yes it's indexed.